revert(sign): restore gpg (#38251)

partially revert sigstore signing to avoid causing breaking change for v1.27
2026-06-29 14:21:25 +00:00 · 2026-06-28 22:44:26 +02:00
parent 4812e35486
commit 4f41ad7b91
3 changed files with 30 additions and 0 deletions
--- a/.github/workflows/release-nightly.yml
+++ b/.github/workflows/release-nightly.yml
@@ -36,10 +36,20 @@ jobs:
          TAGS: bindata
      - name: Install Cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+      - name: import gpg key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
--- a/.github/workflows/release-tag-rc.yml
+++ b/.github/workflows/release-tag-rc.yml
@@ -37,10 +37,20 @@ jobs:
          TAGS: bindata
      - name: Install Cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+      - name: import gpg key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name
--- a/.github/workflows/release-tag-version.yml
+++ b/.github/workflows/release-tag-version.yml
@@ -40,10 +40,20 @@ jobs:
          TAGS: bindata
      - name: Install Cosign
        uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
+      - name: import gpg key
+        id: import_gpg
+        uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
+        with:
+          gpg_private_key: ${{ secrets.GPGSIGN_KEY }}
+          passphrase: ${{ secrets.GPGSIGN_PASSPHRASE }}
      - name: sign binaries
+        env:
+          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
+          GPG_PASSPHRASE: ${{ secrets.GPGSIGN_PASSPHRASE }}
        run: |
          for f in dist/release/*; do
            cosign sign-blob "$f" --bundle "$f.sigstore.json" --yes
+            echo "$GPG_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --batch --yes --detach-sign -u "$GPG_FINGERPRINT" --output "$f.asc" "$f"
          done
      # clean branch name to get the folder name in S3
      - name: Get cleaned branch name